Organizations all over the world are struggling with how
to guard their systems against new, targeted cyber threats
---and federal agencies are no exception. The goal is to stop
widespread damage.
With continuous monitoring, agencies constantly assess the
state of their information security controls across their entire
enterprise. The hope is that with constant review, greater
security will follow.
What are agencies afraid of? The dangers include natural
disasters, structural failures and human errors, according to
Ron Ross, a fellow at the National Institute of Standards and
Technology. But most of all, they worry about hostile cyber attacks.
"Advanced persistent threat is what scares all of us who work
in this space," Ross said during a recent FCW Webinar. "The
adversaries out there are sophisticated and well-resourced."
The key to building an effective continuous monitoring
program starts with having a strong information technology
infrastructure, Ross said.
"Building that IT infrastructure as strong as we can build it
reduce and manage that complexity by getting it "lean and mean"
RI K BA ED DECI ION
Agency security controls are driven by different cyber attacks
important that they are built into the mainstream organizational
processes, including enterprise architecture and systems
engineering, Ross said.
Also, agencies should ensure information security
decisions are risk-based and part of routine cost, schedule
and performance tradeoffs, he said. Additionally, continuous
monitoring concepts should be applied across the organizational,
mission-process and information systems levels.
Given that threats are constantly evolving, agencies should
monitor critical assets more frequently so they are able to rapidly
detect if something nefarious has occurred, said John Pescatore,
director of emerging security trends at the SANS Institute. "We
[have to] close the window more quickly and minimize the damage.
The goal is to be more proactive to continuously changing threats,"
he said during an April 5th SANS Institute webinar.
agencies to monitor everything, all the time. The best approach,
Pescatore said, is to prioritize security controls and determine
with what frequency they need monitoring. "The most important
things to monitor continuously are the most volatile," he said.
"The real thing attackers take advantage of is change---new
versions of software, new machines."
One thing agencies should steer clear of is trying to follow
compliance guidelines in the hope that it will improve security.
out what the attacks are exploiting, focus on security controls
that provide immediate feedback, and look for actual solutions
that work.
The most important result of continuous monitoring is
situational awareness, Ross said. An agency wants to understand
the day-to-day status of the controls they have deployed and
how those controls stand up to cyber threats.
Continuous monitoring
requires a measured approach
GameChanger GAME CHANGING ECHNOLOG O MEE AGENC MI ION
CONTINUOUS MONITORING
SPONSORED REPORT
3PRINCIPLE OBJECTIVES TO
CONTINUOUS MONITORING
PROGRAMS
1. UNDERSTAND how e ective your risk responses have
been. Deploy a set of controls in response to that risk,
review and monitor how well you did.
2. IDENTIFY changes to systems and environments of
operation. Did you apply patches, did you hire new
people?
3. VERIFY compliance to federal legislation, executive
orders, directives, policies, standards, guidelines.
ource: Ron Ross, NI